System and method of guaranteed anonymity of cable television viewership behavior

ABSTRACT

A system and method for permitting viewership behavior on a cable television system, or satellite system, to be analyzed while guaranteeing the anonymity of the individual viewers. Using this system and method, the content of the message initiated by a consumer device, that is configured to receive television programming content, cannot be known by the cable operator even though the cable operator can identify the source of the message; alternatively, the entity that analyzes viewership behavior cannot know the source of the message but can know the content of the message.

BACKGROUND OF THE INVENTION

1. Field of Invention

This invention relates to the field of automatic monitoring of cabletelevision use, and more particularly, to a system and method forpermitting viewership behavior to be analyzed while guaranteeing theanonymity of the individual viewers.

2. Description of Related Art

The following references are related to cable systems or data systemsand the handling of communications between the users.

U.S. Pat. No. 6,289,514 (Link et al.), which is assigned to the sameAssignee as the present invention, namely, QCOM TV, Inc., discloses asystem and method for identifying television programming, identifyingand capturing consumer behavior as regards such programming andproviding a near-real time reporting of that information to interestedparties while providing verification of actual delivery of advertisingand/or program content.

WO 02/05568 (Link et al.) discloses a system and method for providingtelevision programming which has been enabled for interactive purchaseby viewers using their set top boxes over multiple channels for multiplemerchant products/services and for delivering those purchase requests tothe parties who provide fulfillment and billing for those requests. Thissystem/method uses encryption in the transmission ofpurchase/transaction messages from viewers but, unlike the presentinvention, the source of the message needs to be known in order for thepurchased item/services to be delivered to the originator of therequest.

U.S. Pat. No. 5,835,087 (Herz, et al.) discloses a system for thegeneration of object profiles for customized electronic identificationof desirable objects, such as news articles, in an electronic mediaenvironment. A target profile interest summary is generated for eachuser and a cryptographically-based pseudonym proxy server is used toprovide the user with control over the ability of third parties toaccess this summary and to identify or contact the user. However, amongother things, this system requires that the user actively participate inthe establishment of the profile and this proxy server is able totranslate from an individual to a pseudonym and then vice versa.

U.S. Pat. No. 5,872,588 (Aras et al.) discloses a monitoring system foraudio-visual materials presented to subscribers and includes a privacysetting that allows the subscriber to prevent his/her viewing habitsfrom being transmitted.

U.S. Pat. No. 5,245,656 (Loeb, et al)teaches how one might protectindividually identifiable information by combining the use of an“authority”, to translate from an individual ID (identification) to apseudonym and back, with the use of profile data transmitted inencrypted form from a service provider computer. However, unlike thepresent invention, the “authority” in this system has the ability totranslate in both directions.

U.S. patent application No. US 2002/0073435 (Handelman) discloses acable TV system that uses a cable TV network, a multiplicity ofsubscriber units, and apparatus for transmitting encrypted informationover the network of individually-addressed information to a subscriberunit and apparatus associated with each of the multiplicity ofsubscriber units for decoding the encrypted information.

U.S. patent application No. US 2002/0019781 (Shooks et al.) discloses amethod and system for facilitating the anonymous purchase of goods andservices from an e-commerce website. Funds are credited to a cardaccount number in advance of use of a preset amount. However, a user ofthe card is anonymous by virtue of there being no name associated withthe card. Use of this system requires active participation by theconsumer to acquire the anonymous funds card.

U.S. patent application No. US 2002/0073046 (David) discloses a systemand method for secure network purchasing and which uses encryptiontechniques to generate a password from a seed stored in a user'sconfiguration file on the user's computer. However, use of this systemrequires the active participation of the consumer to establish anaccount with the merchant or service provider.

U.S. patent application No. US 2002/0108122 (Alao et al.) discloses asystem for managing delivery of interactive television content frommultiple diverse content or service sources to one or more set top boxesand managing the transaction dialogue from those set top boxes back tothe diverse services. It provides a gateway and translation functionwhich allows a set top box to interact with multiple services andcontent streams while only having to understand the one set of rules andprotocols. Though encryption is discussed at various points, it does notmake the set top box anonymous.

U.S. patent application No. US 2002/0108040 (Eskicioglu) discloses amethod for providing conditional access to a received scrambledaudio/visual signal from a variety of sources, e.g., broadcast TVnetworks, CATV networks, digital satellite systems and Internet serviceproviders.

U.S. patent application No. US 2002/0107909 (Eyer et al.) discloses amethod that allows a user who has access to an audio/visual object tocause an interactive control element of an interactive multimedia systemto grab and store for future retrieval the audio/visual object byactivating a selection mechanism of the interactive multi-media.

U.S. patent application No. US 2002/0108121 (Alao et al.) discloses aservice gateway that provides a proxy between a client protocol and aplurality of standard communication protocols and utilizes encryptionfor interactive television.

U.S. patent application No. US 2002/0099948 (Kocher et al.) discloses asystem whereby, before use, a population of tamper-resistantcryptographic enforcement devices is partitioned into groups and isissued one or more group keys. Each tamper-resistant device containsmultiple computational units to control access to digital content. Oneof the computational units within each tamper-resistant devicecommunicates with another of the computational units acting as aninterface control processor, and which serves to protect the contents ofa nonvolatile memory from unauthorized access.

U.S. patent application No. US 2002/0104098 (Zustack et al.) discloses asystem whereby a subscriber class leases and provides programming for adigital television channel using the 2-way communication capabilities ofa digital set top box. Encryption/decryption is used to preventunauthorized access to programming content and whereby a decryption keycan be transmitted over a video channel, or other communication channel,via modem.

U.S. patent application No. US 2002/0108034 (Hashem et al.) discloses asystem and method for automatically encrypting and decrypting data fortransmission using a process whereby a file is retrieved from adestination-based transmit folder, encrypting the file and thentransmitting the file to an outgoing folder to the destination. The fileis encrypted with an encryption process associated with thedestination-based transmit folder.

U.S. patent application No. US 2002/0104083 (Hendricks et al.) disclosesa system supporting targeted advertising directed to televisionterminals connected to an operations center or cable headend.

“Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms”by David Chaum (Communications of the ACM, Vol. 24, No. 2, Feb. 1981)teaches how encryption techniques can be used in conjunction with anintermediary authority to mask the source of an email while providing amechanism by which the recipient can respond to the originator withoutdisclosing who the originator might be. However, this approach requiresthat the “authority” be able to both encode and decode the originator'saddress.

“A Secure and Privacy-Protecting Protocol for Transmitting PersonalInformation between Organizations” by Chaum and Evertse demonstrates aproof that relies on the active participation of individuals (or theiragent) to monitor and coordinate the distribution of personalinformation among organizations. In this instance, the “authority” isthe individual who can associate the private information with aparticular ID or pseudonym.

Thus, there remains a need for a system and method of guaranteeing theanonymity of the source of a message (wherein the source is coupled to acable television system for receiving television programming contenttherefrom) but allowing the content of the message to be analyzed by adownstream entity without requiring intervention by the originator ofthe message.

All references cited herein are incorporated herein by reference intheir entireties.

BRIEF SUMMARY OF THE INVENTION

A method for obscuring the identity of a source of a message whileallowing the content of the message, and subsequent messages, issuedfrom that source to be analyzed and wherein the source is coupled to acable television system (this term also includes “satellite” systems)for receiving television programming content therefrom. The methodcomprises the steps of: encrypting the content of a message issued fromthe source (e.g., televisions, set top boxes, digital cable-ready settop boxes, cell phones, PDAs (personal digital assistants), computersand other similar devices having display screens that allow the user toreceive and view television content from the cable television system) toform a first message wherein the first message contains sourceidentification indicia and wherein the first message is transmitted to aremote device (e.g., a server); decrypting the first message into afirst decrypted message upon receipt of the first message by the remotedevice; substituting the source identification indicia with anonymousidentification indicia that cannot be traced back to the sourceidentification indicia; and encrypting the first decrypted message alongwith the anonymous identification indicia into a second message andtransmitting the second message to a location to be analyzed.

A system for obscuring the identity of the source of a message whileallowing the content of the message, and subsequent messages, issuedfrom that source to be analyzed, wherein the source is coupled to acable television system (this term also includes “satellite” systems)for receiving television programming content therefrom, and wherein thesource (e.g., televisions, set top boxes, digital cable-ready set topboxes, cell phones, PDAs (personal digital assistants), computers andother similar devices having display screens that allow the user toreceive and view television content from the cable television system)ofthe message encrypts the message content while embedding sourceidentifier indicia in the encrypted message. The system comprises aserver, wherein the server comprises: means for decrypting the encryptedmessage into a first decrypted message; means for generating anonymousidentification indicia and for substituting the source identifierindicia with the anonymous identification indicia to form a firstdecrypted message having the anonymous identification indicia embeddedtherein, and wherein the anonymous identification indicia prevents thefirst decrypted message from being traced back to the source identifierindicia; means for encrypting the first decrypted message having theanonymous identification indicia embedded therein to form a secondencrypted message having the anonymous identification indicia embeddedtherein; and wherein the server transmits the second encrypted messagehaving the anonymous identification indicia to message content analysismeans.

BRIEF DESCRIPTION OF SEVERAL VIEWS OF THE DRAWINGS

The invention will be described in conjunction with the followingdrawings in which like reference numerals designate like elements andwherein:

FIG. 1 is a figure layout for FIGS. 1A-1B;

FIGS. 1A-1B, together, constitute a block diagram of an exemplaryviewership behavior analysis system similar to the one shown in U.S.Pat. No. 6,289,514 (Link et al.) which uses the present invention;

FIG. 2 is a block diagram showing the present invention used between thesource of a message and a viewing event dispatcher;

FIG. 3 is an isometric view of a secured location that houses the serverof the present invention;

FIG. 4 is a functional diagram of the present invention; and

FIG. 5 is a flow diagram of the software of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention 400 forms a portion of a cable television (thisterm is broadly construed to cover any and all variations of what isknown in the art as “cable television” and “satellite systems”)viewership behavior analysis system, such as that disclosed in U.S. Pat.No. 6,289,514 (Link et al.) whose entire disclosure is incorporated byreference herein. It should be understood that the viewership behavioranalysis system of U.S. Pat. No. 6,289,514 (Link et al.)is cited by wayof example only and that the present invention 400 can be adapted foruse in any data system where knowledge of the source of a message andknowledge of the content of the message need to be exclusive of eachother, as will be discussed in detail later.

As shown in FIGS. 1A-1B, a viewership behavior analysis system (referredto as TPAS-television programming analysis system-in U.S. Pat. No.6,289,514) identifies television programming, identifies and capturesconsumer behavior as regards such programming and provides a near-realtime reporting of that information to interested parties (e.g.,advertisers, television network programmers etc.), hereinaftergenerally-referred to throughout this Specification as “viewershipbehavior analysis entities.” Television programming content is deliveredto and viewable by consumers using such devices (hereinafter referred toas “sources 1” (FIG. 1B), the reason for which will be discussedshortly) as televisions, set top boxes, digital cable-ready set topboxes, cell phones, PDAs (personal digital assistants), computers andother similar devices having display screens that allow the user toreceive and view television content from a cable television system towhich these devices are connected. Where the source 1 is a cell phone,PDA, etc., a “pod” 2 (e.g., a memory chip such as a smart card, flashmemory card, etc.) is inserted into the source 1. The pod 2 allows thesource 1 to receive television programming content and also comprises aunique source ID. Thus, when the consumer obtains cable service from thecable system operator, the cable system operator issues the pod 2 to theuser once all of the consumer information is obtained. Where the source1 is a set top box (STB) or television, the pod 2 is not required.

Each source 1 contains an application program that “observes events”(e.g., channel change, volume level change, etc.) and which thengenerates a message regarding the event; as a result, each source 1 is a“source” of the event message and hence the label “source 1” is given toeach of these devices. Where the source 1 uses a pod 2, it is the pod 2that contains the application program.

In addition, each source 1 is assumed to have a unique ID, such as aserial number (and, as mentioned earlier, where the pod 2 is used, it isthe pod 2 that contains the unique ID). That unique ID value is includedin every message (e.g., an “event” message) that originates from thesource 1 and is ultimately transmitted to an analysis processingfunction.

Although the analysis processing function does not form any part of thepresent invention, it should be understood that since the source 1 caninclude any of the aforementioned devices, not just set top boxes(STBs), the analysis processing functions shown in FIGS. 1A-1B havereplaced the “STB” designator with “viewing” or “source”, i.e., STBevent dispatcher, STB event audience tracking sampler, STB eventaggregator, STB service request router, Set Top Box ID database, STBaggregate data and STB event count propagator of FIGS. 1A-1B of U.S.Pat. No. 6,289,514 are now viewing event dispatcher, viewing eventaudience tracking sampler, viewing event aggregator, viewing servicerequest router, source ID database, viewing aggregate data and viewingevent count propagator in the present application but they arefunctionally the same as described in U.S. Pat. No. 6,289,514.

It is with particular regard to the conveyance of the message from thesource 1 to the viewing event dispatcher 209 that the present invention400 pertains. As a result, the viewership behavior analysis system willnot be discussed in any further detail.

As shown in FIG. 2, the communication path 305/305A between the source 1of the message, server 410 (which will be discussed in detail below) andthe viewing event dispatcher 209 may comprise any well-knowncommunication media, such as but not limited to a cable televisionsystem, Internet, wireless communication means, wide-area network (WAN),etc. Where the source 1 is a cell phone, PDA, computer, etc., and thewhere the pod 2 is used, the communication path 305 can be used.Alternatively, where a STB or cable-ready television is used, the cablesystem itself, i.e., communication path 305A (including the two-waycable system 302/cable head end 301) can be used. There are many variousways of implementing the communication path 305 between the source 1,server 410 and the viewing event dispatcher 209. Thus, it should beunderstood that the scope of the invention is not limited by how thesource 1 of the message communicates with or to the server 410 nor howthe server 410 communicates with or to the viewing event dispatcher 209.

Once the source 1 issues the message M over the communication path305/305A, the message M arrives at the server 410, which comprises thepresent invention 400. As shown in FIG. 3, the server 410 is secured atlocation 412 that is under the control of the cable system operator, ormanaged by an associated entity (e.g., a subcontractor) of the cablesystem operator (this associated entity hereinafter referred tothroughout this Specification as “agent” implying an “agent of the cablesystem operator”); the important feature of the secure location 412 isthat the viewership behavior analysis entity has no control/access tothat location 412 on its own. Access to the server 410 (which is ownedand operated by the entity that conducts the viewership behavioranalysis) is password protected and “locked down.” The cable systemoperator does not have the password and therefore cannot access theserver 410. The entity that conducts the viewership behavior analysis,for whom the event message M is destined, has the password but cannotgain access into the secure location 412 (inside which the server 410 islocated) without cable system operator/agent supervision. Althoughvarious physical lock/key schemes can be used at the secure location412, such as that used with safety deposit boxes at financialinstitutions (where the box owner has one key and the financialinstitution has another key, both of which are necessary to gain accessto the box), the important feature is that no one except the viewershipbehavior analysis system entity can gain access to the server 410itself. The importance of this secure feature will be discussed below.

As shown in FIG. 4, an internal message generator MG (e.g., the thirdparty application disclosed in U.S. Pat. No. 6,289,514) of the source 1(e.g., a STB) creates the “event message” M (when the television eventoccurs) which includes the identification number (ID) of the source 1embedded therein. Message M is then inputted to a first encryptionprocess EP1 which encrypts the television event message M, referred toas message EM1, but does not obscure the ID of the source 1; thus thesource 1 transmits the message EM1 over the communication path 305/305A.In this format, the cable system operator has the ability to identifythe source of the message EM1 but is unable to know the content of themessage EM1.

When message EM1 is transmitted over the communication path 305/305A, itarrives at the server 410 where a first decryption process DP1 operateson the message EM1 to decrypt the message into decrypted message DM1. Atthis point, source 1 data which the cable company has previouslyobtained (e.g., zip code of the source 1, network segment, and otherdemographic information such as cluster codes, etc.) are inserted intothe decrypted message DM1 (see FIG. 5).

The decrypted message DM1 is then sent to an anonymous ID (AID) process420. Basically, in the AID process 420, the unique source ID value isextracted from the decrypted message DM1 and replaced with an anonymousID. The AID that replaces the unique ID for the source 1 is consistentfor every subsequent message for that unique source ID and isunduplicated across all other unique source IDs. In other words, oncethe AID is generated for a particular source 1, that same AID is usedfor subsequent messages corresponding to that particular source 1.However, the AID cannot be traced back to the actual source 1 bymatching against cable customer records. The result is that the contentof the message M initiated by the consumer's source 1 cannot be known bythe cable operator even though the message may pass through the cableoperator's systems (e.g., path 305A) or components (e.g. pod 2) and thecable system operator has the ability to identify the originating source1; on the other hand, although the viewing event dispatcher 209 candetermine the content of the message, the viewing event dispatcher 209cannot, in any way, determine the identity of the originating source 1.

Subsequent messages having the AID are grouped based on the AID ashaving been initiated by a single source 1. More importantly, thatprocess cannot use the AID to reverse engineer the AID back into theoriginal unique source ID. Thus, the object of the present invention 400protects the contents of the messages from others during its travel tothe final destination.

The AID is created by utilizing a mathematically-based mechanism asopposed to a secured “look-up” or “cross-reference” type of mechanism(e.g., a secured database that cross-references the identity to apseudonym). One example of such a mathematically-based mechanism thatprocessing the unique source ID comprises using a combination of aproprietary character string and a portion of the unique source ID as a“seed” (i.e., an initial value). For example, if the unique source IDnumber is 12345678, the AID process 420 may extract the portion “4567”to form the seed and then using a mathematical hash to mix this portionwith, again for example, the entire number “12345678” to generate theAID. Thus, each time the server receives the message EM1 from aparticular source 1 and decrypts message EM1 into message DM1, the AIDprocess extracts the same portion from the unique source ID number andthen applies the mathematical hash to generate the same AID for eachmessage subsequent that originates from that same source 1 and embed itin the message. The result is a unique and consistent AID. The createdAID replaces the unique source ID in the decrypted message DM1.

Next, decrypted message DM1 is then fed through a second encryptionprocess EP2 to form a second encrypted message EM2 that includes theAID. Message EM2 is then sent out on another communication path 307(which also may comprise any well-known communication media, such as butnot limited to a cable television system, Internet, wirelesscommunication means, wide-area network (WAN), etc.) to the viewing eventdispatcher 209. The viewing event dispatcher 209 comprises a seconddecryption process DP2 that decrypts the message into decrypted messageDM2 and permits the viewing event dispatcher 209 to determine onto whichdestination it should send the decrypted message DM2; however, thedecrypted message DM2 still comprises the AID, thereby preventing theviewing event dispatcher 209, as well as any other downstreamprocessing, from ever determining which source 1 the message Moriginated from.

FIG. 5 is a flow diagram of the software of the present invention. Inparticular, in step 450 the server receives the encrypted message EM1.In step 452, the server activates the first decryption process DP1 togenerate decrypted message DM1. In step 456, the software combines thecable company source 1 data from step 454 with the decrypted messageDM1. Step 458 comprises the generation of the non-reversible AID, asdiscussed previously. In step 460, the unique source ID is replaced withthe AID. Next, in step 462, the software then activates the secondencryption process EP2 to generate the second encrypted message EM2.Finally, in step 464, the software transmits the encrypted message EM2over the communication path 307 to the viewing event dispatcher 209.

As can be appreciated by the foregoing, all of these processes areautomatic and do not require the intervention of the viewer from whoseset top box the message M originates.

One example of the encryption and decryption algorithms that can be usedin the present invention are those such as Kerberos Authenticationencryption available from Massachusetts Institute of Technology atwww.mit.edu/kerberos/www.

While the invention has been described in detail and with reference tospecific examples thereof, it will be apparent to one skilled in the artthat various changes and modifications can be made therein withoutdeparting from the spirit and scope thereof.

1. A method for obscuring an identity of a source of a message whileallowing content of the message issued from that source to be analyzed,and wherein the source is coupled to a television system operated by asystem operator for receiving television programming content therefrom,said method comprising the steps of: obscuring the content of themessage from a system operator by encrypting the content of a messageissued from the source to form a first message, said first messagecontaining source identification indicia and wherein the system operatorknows the identity of the source of said first message, said firstmessage being transmitted upstream to a remote device on the televisionsystem; decrypting said first message into a first decrypted messageupon receipt of said first message by said remote device; generatinganonymous identification indicia upon receipt of said first message bysaid remote device; substituting said source identification indicia withanonymous identification indicia into said first decrypted message toform a second message, and wherein said anonymous identification indiciacannot be traced back to the source; and encrypting said second messageand transmitting said second message to a location to be analyzed. 2.The method of claim 1 wherein said step of substituting said sourceidentification indicia with anonymous identification indicia comprisesgenerating said anonymous identification indicia by using a characterstring and a portion of said source identification indicia in amathematical hash algorithm.
 3. The method of claim 2 wherein said stepof generating said anonymous identification indicia is repeated eachtime a subsequent message from a particular source is received such thatsaid anonymous identification indicia is consistent for each source. 4.The method of claim 1 wherein said step of substituting said sourceidentification indicia with anonymous identification indicia isperformed at a secure location where a data analysis entity can onlygain access with assistance from the system operator or an agent thereofand wherein the secure location comprises a computer that ispassword-protected and wherein the system operator, or an agent thereof,does not have the password but the data analysis entity does have thepassword.
 5. The method of claim 1 further comprising the step ofinserting cable system source data into said first decrypted message. 6.The method of claim 5 wherein said source data comprises cable systemnetwork segment data.
 7. The method of claim 5 wherein said source datacomprises cluster code data.
 8. The method of claim 1 wherein saidsource is a set top box.
 9. The method of claim 1 wherein said source isa cell phone.
 10. The method of claim 1 wherein said source is apersonal digital assistant.
 11. A system for obscuring an identity of asource of a message while allowing content of the message issued fromthat source to be analyzed by a message content analysis means, saidsystem comprising: means for encrypting, said encrypting meansencrypting the message content along with source identifier indicia inan encrypted message; and a server, said server comprising: means fordecrypting the encrypted message into a first decrypted message; meansfor generating anonymous identification indicia and for substituting thesource identifier indicia with said anonymous identification indicia toform a second message having said anonymous identification indiciaembedded therein, wherein said anonymous identification indicia cannotbe traced back to the source; means for encrypting said second messagehaving said anonymous identification indicia embedded therein to form asecond encrypted message having said anonymous identification indiciaembedded therein; and wherein said server transmits upstream said secondencrypted message having said anonymous identification indicia to themessage content analysis means.
 12. The system of claim 11 wherein saidmeans for generating anonymous identification indicia comprises acomputer-readable medium having computer-executable instructions forusing a character string and a portion of said source identificationindicia in a mathematical hash algorithm to generate said anonymousidentification indicia.
 13. The system of claim 12 wherein said meansfor generating anonymous identification indicia repeats the use of saidmathematical hash algorithm each time a subsequent message from aparticular source is received such that said anonymous identificationindicia is consistent for each source.
 14. The system of claim 13wherein said source is a set top box.
 15. The system of claim 13 whereinthe source comprises a memory chip that permits said source to receivethe television programming content and wherein said source is a cellphone.
 16. The system of claim 13 wherein the source comprises a memorychip that permits said source to receive the television programmingcontent and wherein said source is a personal digital assistant.
 17. Thesystem of claim 13 further comprising means for inserting cable systemsource data into said first decrypted message.
 18. The method of claim17 wherein said source data comprises cable system network segment data.19. The method of claim 17 wherein said source data comprises clustercode data.
 20. The system of claim 11 wherein said server is positionedat a secure location where a data analysis entity can only gain accessto said secure location with assistance from the system operator oragent thereof and wherein said means for generating anonymousidentification indicia comprises a computer that is password-protectedand wherein the system operator does not have the password but the dataanalysis entity does have the password.
 21. A method for obscuring anidentity of a source of a message while allowing content of the messageissued from that source to be analyzed by a data analysis entity, andwherein the source is coupled to a television system operated by asystem operator for receiving television programming content therefrom,said method comprising the steps of: obscuring the content of themessage from a system operator by encrypting the content of a messageissued from the source to form a first message, said first messagecontaining source identification indicia and wherein the system operatorknows the identity of the source of said first message, said firstmessage being transmitted upstream to a remote device on the televisionsystem; decrypting said first message into a first decrypted messageupon receipt of said first message by said remote device; generatinganonymous identification indicia upon receipt of said first message bysaid remote device; substituting said source identification indicia withanonymous identification indicia, and wherein said anonymousidentification indicia cannot be traced back to the source by the dataanalysis entity; and encrypting said first decrypted message along withsaid anonymous identification indicia into a second message andtransmitting said second message to a location to be analyzed.
 22. Asystem for obscuring an identity of a source of a message while allowingcontent of the message to be analyzed, said system comprising: anencrypting device adapted to encrypt the message content along withsource identifier indicia in an encrypted message; and a server, saidserver comprising: means for decrypting the encrypted message into afirst decrypted message; a generator adapted to generate anonymousidentification indicia upon receipt of said encrypted message and tosubstitute the source identifier indicia with said anonymousidentification indicia wherein said anonymous identification indiciacannot be traced back to the source by the data analysis entity; anencryption device adapted to encrypt said first decrypted message havingsaid anonymous identification indicia embedded therein to form a secondencrypted message having said anonymous identification indicia embeddedtherein; and wherein said server transmits upstream said secondencrypted message having said anonymous identification indicia.